Sumo Logic Cloud SIEM
App Vendor: Sumo Logic
Connector Category: Analytics and SIEM
Connector Version: 1.0.1
API Version: 1.0.0
About App
Sumo Logic Cloud SIEM is a cloud-based SIEM application that helps to speed up incident investigations by automatically triaging alerts and correlating threats across your environment. It empowers security analysts with enhanced visibility to thoroughly understand the impact and context of an attack. The Sumo Logic cloud SIEM app allows security teams to connect with the enterprise version of SumoLogic Cloud SIEM to perform various actions spanning across threat intelligence, insights, entities, match list and signals.
Signals: Signals are a collection of alerts, identified through pattern and threat intelligence matching, correlation logic, statistical evaluation, and anomaly detection of your log data.
Match lists: Match Lists are lists of important indicators and identifiers configured by an analyst. Match Lists are typically used to define “allow lists” of items, such as IP addresses, URLs, and hostnames, and so on, that you want to exempt from ordinary rule processing.
Entities: Entities are fundamental to the Insight generation process. There are four built-in entity types: IP address, hostname, username, or MAC address.
Insights: The Insight engine enables Cloud SIEM to detect advanced threats, low and slow attacks, as well as higher speed direct threats.
The Sumo Logic Cloud SIEM app is configured with the Orchestrate application to perform the following actions:
Action | Description |
|---|---|
Get Signal Enrichment | This action retrieves the enrichment details of a signal. |
Add Item To Matchlist | This action adds an item to a match list. |
Get Matchlist Item | This action retrieves items from a match list. |
Update Entity Criticality | This action updates the criticality of an entity using the entity ID. |
Get All Entities | This action retrieves all the entities from Sumo Logic. |
Add Indicator | This action adds an indicator to Sumo Logic using the Threat Intel Source ID. |
Get Threat Intel Source Data | This action retrieves threat intel data about an intel source. |
Add Comment To Insight | This action adds a comment to an insight using the Insight ID. |
Update Insight Assignee | This action updates the assignee of an insight. |
Get Insight History | This action retrieves the history of an insight using the Insight ID. |
Get All Insights | This action retrieves all the insights. |
Update Threat Indicator | This action updates the threat indicator details. |
Get Threat Intel Sources | This action retrieves the threat intel sources. |
Get Threat Intel Indicators | This action retrieves the threat intel indicators from Sumo Logic. |
Update Match Lists | This action updates match lists using the Matchlist ID. |
Get Matchlist Details | This action retrieves the match list details using the Matchlist ID. |
Get Match Lists | This action retrieves all the match lists from Sumo Logic. |
Update Insight Status | This action updates the insight status using the Insight ID. |
Get Custom Entity Types | This action retrieves all the custom entity types from Sumo Logic. |
Search Signals | This action searches for signals using a query. |
Search Insights | This action searches for insights using a query. |
Get Entity Details | This action retrieves details about an entity using the Entity ID. |
Get Signal Details | This action retrieves details about a signal using the Signal ID. |
Get Insight Comments | This action retrieves comments on an insight using the Insight ID. |
Get Insight Details | This action retrieves insight details from Sumo Logic using the Insight ID. |
Configuration Parameters
The following configuration parameters are required for the Cloud SIEM app to communicate with the Cloud SIEM enterprise application. The parameters can be configured by creating instances in the app.
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Access ID | Enter the Sumo Logic access ID. Example: "Ni19044969" | Text | Required | |
Access Key | Enter the Sumo Logic access key. Example: "XXXX972a2167c93df3372de34c2fb18bae5d319a" | Password | Required | |
Base URL | Enter the Sumo Logic base URL you're sending requests to. Example: "https://api.samplesumologicdomain.com" | Text | Required |
Action: Get Signal Enrichment
This action retrieves the enrichment details of a signal using the Signal ID.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Signal ID | Enter the signal ID to retrieve the enrichment details. Example: "gs67ad6-6s5f-8i5t-a1b4-7sdgs569s" | Text | Required | The signal ID can be retrieved using the Search Signals action. |
Example Request
[
{
"signal_id": "gs67ad6-6s5f-8i5t-a1b4-7sdgs569s"
}
]Action: Add Item To Matchlist
This action adds an item to a match list using the Matchlist ID.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Matchlist ID | Enter the Match List ID to add the new item to. Example: "789" | Text | Required | You can retrieve the Matchlist ID using the Get Match Lists action. |
Active | Enter the active status of the item. "True" | Boolean | Required | Allowed values:
|
Expiration | Enter the expiration in date time format. Example: "2021-09-06T04:46:39Z" | Text | Required | |
Description | Enter the description to add to item. Example: "Used to exclude domains from flagging content" | Text | Required | |
Value | Enter the value to add. "10.12.70.90" | Text | Required |
Example Request
[
{
"match_list_id": "789",
"active": True,
"expiration": "2021-09-06T04:46:39Z",
"description": "Used to exclude domains from flagging content",
"value": "10.12.70.90"
}
]Action: Get Matchlist Item
This action retrieves items from a match list using the Matchlist ID.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Matchlist ID | Enter the matchlist ID to retrieve items from. Example: "789" | Text | Required | You can retrieve the Matchlist ID using the Get Match Lists action. |
Example Request
[
{
"match_list_id": "789"
}
]Action: Update Entity Criticality
This action updates the criticality of an entity using the entity ID.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Entity ID | Enter the entity ID to update the criticality. Example: "_hostname-win10--admin.sample" | Text | Required | You can retrieve the entity ID using Get All Entities action. |
Criticality | Enter the criticality of the entity to update. Example: "MEDIUM" | Text | Required |
Example Request
[
{
"entity_id": "_hostname-win10--admin.sample",
"criticality": "MEDIUM"
}
]Action: Get All Entities
This action retrieves all the entities from Sumo Logic.
Action Input Parameters
This action does not require any input parameters.
Action: Add Indicator
This action adds an indicator to Sumo Logic using the Threat Intel Source ID.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Threat Intel Source ID | Enter the threat intel source ID. Example: "40" | Text | Required | You can retrieve the source ID using Get Threat Intel Sources action. |
Active | Confirm the active status of an indicator. Example: "True" | Boolean | Required | |
Expiration | Enter the expiration in DateTime format. Example: "2021-09-06T04:46:39Z" | Text | Required | |
Description | Enter the description of the indicator to add. Example: "This is a test indicator" | Text | Required | |
Indicator | Enter the indicator to add. Example: "Suppressed" | Text | Required |
Example Request
[
{
"threat_intel_source_id": "40",
"active": True,
"expiration": "2021-09-06T04:46:39Z",
"description": "Used when to exclude domains from flagging content",
"indicator": "Suppressed"
}
]Action: Get Threat Intel Source Data
This action retrieves threat intel data about an intel source.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Source ID | Enter the source ID to retrieve the threat intel data. Example: "40" | Text | Required | You can retrieve the source ID using Get Threat Intel Sources action. |
Example Request
[
{
"source_id": "40"
}
]Action: Add Comment To Insight
This action adds a comment to an insight using the Insight ID.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Insight ID | Enter the insight ID to add a comment. Example: “testInsight-882” | Text | Required | You can retrieve the insight ID using Get All Insights action. |
Comment | Enter the comment to add to the insight. "This is just a sample comment" | Text | Required |
Example Request
[
{
"insight_id": “testInsight-882”,
"comment": "This is just a sample comment"
}
]Action: Update Insight Assignee
This action updates the assignee of an insight.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Insight ID | Enter the insight ID to update the assignee. Example: “testInsight-882” | Text | Required | You can retrieve the insight ID using Get All Insights action. |
Type | Enter the assignee type. Example: "User" | Text | Required | Allowed values:
|
Value | Enter the assignee to assign the insight to. Example: “user@testdomain.com“ | Text | Required |
Example Request
[
{
"insight_id": “testInsight-882”,
"type": "User",
"value": “user@testdomain.com"
}
]Action: Get Insight History
This action retrieves the history of an insight using the Insight ID.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Insight ID | Enter the insight ID to retrieve the history. Example: “testInsight-882” | Text | Required | You can retrieve the insight ID using Get All Insights action. |
Example Request
[
{
"insight_id": “testInsight-882”
}
]Action: Get All Insights
This action retrieves all the insights from Sumo Logic .
Action Input Parameters
This action does not require any input parameters.
Action: Update Threat Indicator
This action updates the threat indicator details.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Indicator ID | Enter the threat indicator to update. Example: "s67dggd67hj7js789" | Text | Required | You can retrieve the indicator ID using Get Threat Intel Indicators action. |
Active | Confirm the active status of an indicator. Example: "True" | Boolean | Required | |
Expiration | Enter the expiration in DateTime format. Example: "2021-09-06T04:46:39" | Text | Required | |
Description | Enter the description to update the indicator. Example: "This is a test indicator" | Text | Required |
Example Request
[
{
"indicator_id": "s67dggd67hj7js789",
"active": True,
"expiration": "2021-09-06T04:46:39",
"description": "Used in specific cases to exclude domains from flagging content"
}
]Action: Get Threat Intel Sources
This action retrieves the threat intel sources.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Limit | Enter the limit of responses to display. Example: 10 | Text | Optional | |
Offset | Enter the value to start from. Example: 1 | Text | Optional | |
Sort Dir | Enter the method to sort response via. | Text | Optional | Allowed values:
|
Example Request
[
{
"limit": 10,
"offset": 1
}
]Action: Get Threat Intel Indicators
This action retrieves the threat intel indicators from Sumo Logic.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Query | Enter the query to retrieve the threat intel indicators. Example: ["lastUpdated": "2021-09-06T04:46:39Z"] | List | Optional | |
Value | Enter the threat value to search for. | Text | Optional | |
Offset | Enter the value to start from. Example: 1 | Text | Optional | |
Limit | Enter the limit of responses to display. Example: 10 | Text | Optional |
Example Request
[
{
"limit": 10,
"offset": 1
]Action: Update Match Lists
This action updates match lists using the Matchlist ID.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Matchlist ID | Enter the matchlist ID to update. Example: "789" | Text | Required | You can retrieve the Matchlist ID using the Get Match Lists action. |
Active | Confirm the active status. Example: True | Boolean | Required | Allowed values:
|
Default TTL | Enter the default TTL (Time to live) for the new item in seconds. Example: 0 | Integer | Required | Default value: 0 |
Description | Enter the description to update the match list. Example: "This is a sample comment" | Text | Required |
Example Request
[
{
"match_list_id": "789",
"active": True,
"default_ttl": 0,
"description": "This is a sample comment"
}
]Action: Get Matchlist Details
This action retrieves the match list details using the Matchlist ID.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Matchlist ID | Enter the matchlist ID to retrieve the match list details. Example: "789" | Text | Required | You can retrieve the Matchlist ID using the Get Match Lists action. |
Example Request
[
{
"match_list_id": "789"
}
]Action: Get Match Lists
This action retrieves all the match lists from Sumo Logic.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Limit | Enter the limit of responses to display. Example: 10 | Text | Optional | |
Offset | Enter the value to start from. Example: 1 | Text | Optional | |
Sort Dir | Enter the method to sort results. Example: "Asc" | Text | Optional | Allowed values:
|
Example Request
[
{
"limit": 10,
"offset": 1
}
]Action: Update Insight Status
This action updates the insight status using the Insight ID.
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Insight ID | Enter the insight ID to update the status. Example: “testInsight-882” | Text | Required | |
Resolution | Enter the resolution status of the insight. Example: "Duplicate" | Text | Required | Allowed values:
|
Status | Enter the status to update the insight. Example: "Resolved" | Text | Required | Allowed values:
|
Example Request
[
{
"insight_id": “testInsight-882”,
"resolution": "Duplicate",
"status": "Resolved"
}
]Action: Get Custom Entity Types
This action retrieves all the custom entity types from Sumo Logic.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Offset | Enter the value to start from. Example: 1 | Text | Optional | |
Limit | Enter the limit of responses to display. Example: 10 | Text | Optional |
Example Request
[
{
"limit": 10,
"offset": 1
}
]Action: Search Insights
This action searches for insights using a query.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Query | Enter the query to retrieve all the insights from SumoLogic. Example: ["Severity": "Low"] | Text | Required | Allowed values:
|
Offset | Enter the value to start from. Example: 1 | Text | Optional | |
Limit | Enter the limit of responses to display. Example: 10 | Text | Optional | |
Exclude | Enter the values to exclude from this search. | Text | Optional |
Example Request
[
{
"limit": 10,
"offset": 1,
"query":{
["Severity": "Low"]
},
}
]Action: Search Signals
This action searches for signals using a query.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Query | Enter the search query to retrieve all the signals from SumoLogic. Example: ["timestamp": "2021-09-06T04:46:39Z"] | Text | Required | Allowed values:
|
Offset | Enter the value to start from. Example: 1 | Text | Optional | |
Limit | Enter the limit of responses to display. Example: 10 | Text | Optional |
Example Request
[
{
"query":{
["timestamp": "2021-09-06T04:46:39Z"]
},
"limit": 10,
"offset": 1
}
]Action: Get Entity Details
This action retrieves details about an entity using the Entity ID.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Entity ID | Enter the entity ID to retrieve details about. Example: "_hostname-win10--admin.sample" | Text | Required | You can retrieve the entity ID using Get Custom Entity Types action. |
Example Request
[
{
"entity_id": "_hostname-win10--admin.sample"
}
]Action: Get Signal Details
This action retrieves details about a signal using the Signal ID.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Signal ID | Enter the signal ID to retrieve the details. Example: "testsignal-882" | Text | Required | You can retrieve the signal ID using Search Signals action. |
Example Request
[
{
"signal_id": "testsignal-882"
]Action: Get Insight Comments
This action retrieves comments on an insight using the Insight ID.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Insight ID | Enter the insight ID to retrieve the comments. Example: “testInsight-882” | Text | Required | You can retrieve the insight ID using Search Insights action. |
Example Request
[
{
"insight_id": “testInsight-882”
}
]Action: Get Insight Details
This action retrieves insight details from Sumo Logic using the Insight ID.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Insight ID | Enter the insight ID to retrieve the details. Example: “testInsight-882” | Text | Required | You can retrieve the insight ID using Search Insights action. |
Example Request
[
{
"insight_id": “testInsight-882”
}
]